Topics

Featured in Development

Peter Alvaro talks about the reasons one should engage in language design and why many of us would (or should) do something so perverse as to design a language that no one will ever use. He shares some of the extreme and sometimes obnoxious opinions that guided his design process.

Featured in AI, ML & Data Engineering

Today on The InfoQ Podcast, Wes talks with Katharine Jarmul about privacy and fairness in machine learning algorithms. Jarul discusses what’s meant by Ethical Machine Learning and some things to consider when working towards achieving fairness. Jarmul is the co-founder at KIProtect a machine learning security and privacy firm based in Germany and is one of the three keynote speakers at QCon.ai.

Featured in Culture & Methods

Organizations struggle to scale their agility. While every organization is different, common patterns explain the major challenges that most organizations face: organizational design, trying to copy others, “one-size-fits-all” scaling, scaling in siloes, and neglecting engineering practices. This article explains why, what to do about it, and how the three leading scaling frameworks compare.

SAP Open Sources Java SCA Tool

SAP has released the source code for Vulnerability Assessment Tool, a software composition analysis (SCA) tool that was tested internally for two years with 20,000 scans on more than 600 projects.

The Vulnerability Assessment Tool focuses specifically on the detection of vulnerable components as it is stated in OWASP-Top 10 2017 A9. The tool scans software packages for direct and transitive dependencies and then compares each dependency to known sources, like the National Vulnerability Database or CVE list, to determine if known vulnerabilities or exploits exist for each package. During development, this knowledge can inform developers on when they should upgrade certain components. During operations, when a new vulnerability is discovered, this information can be used to locate which applications require action.

Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting these products and versions.

Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.

SAP’s new tool goes beyond basic file listing, performing a level of static code application security testing (SAST) to evaluate usage of each component. This is designed to minimize false positives where a vulnerable component may be present but not actually used. An example of this would be where a tool flagged the JRE itself as vulnerable to an applet vulnerability like CVE-2016-0636, but the JRE is used in a server-side context where applets are never engaged.

Static code analysis is performed by many organizations as a security measure to detect code-level vulnerabilities before release. Specifically, code reviews are mentioned in the PCI Secure Software Standard section 8.4.b and NIST 800-53 section SA-4 along with other detection mechanisms that analyze the code’s artifacts, like binary analysis. Another option is to continuously monitor application behavior through Integrated Application Security Testing (IAST).

The project documentation explains several limitations that pertain to the field of static analysis for security testing. Specifically it mentions missing support for non-static information, such as Java 9 multi-release JAR files. This Java features provides multiple class files with the same name-space, with the JRE selecting the appropriate class at and behavior at runtime. In a static context, the information about this decision is missing without the runtime, so the analyzer must either choose all paths or default to the primary class location. The SAP tool makes the latter decision and offers an IAST-like dynamic instrumentation for Java to address this deficiency of static security analysis and detect which files are used.